Paying for Flaws: Undermining Security or Rewarding Good Deeds?

News Analysis: Tipping Point's new Zero Day Initiative has validated the market for buying information on security flaws from underground hackers. However, some in the security research community still balk at the idea.

3Com Corp.s announcement that its Tipping Point division would start paying for the rights to security flaw information found by private researchers has reignited an old debate: Should underground hackers benefit from breaking into software systems?

Tipping Points new ZDI (Zero Day Initiative), which will take center stage at the Black Hat Briefings in Las Vegas later this week, effectively validates the market for rewarding members of the digital underground, but Internet security experts argue that the practice undermines the principle of responsibly reporting vulnerabilities directly to software vendors.

For many, the business of finding software vulnerabilities should never be a for-profit exercise.

"People should never be rewarded for breaking into software and finding weaknesses. They should do it out of a need to create a more secure environment for everyone," said one researcher, who declined to be identified.

"The more we see these companies throwing money at underground hackers, the more it creates an unstable environment where the software vendor will be held to ransom."

That reaction isnt uncommon. In a recent interview with Ziff Davis Internet news, chief operating officer of eEye Digital Security Firas Raouf said his company had a fundamental objection to paying for security flaws.

"You end up getting people who arent necessarily experts in the field trying to find something and sell it to the highest bidder … Once you start this, unless theres a strict process in place to manage it, you may end up with more problems for everyone," Raouf said.

/zimages/6/28571.gifClick here to read more about VeriSign Inc.s plan to acquire security intelligence firm iDefense.

iDefense Inc., the security intelligence firm that was recently acquired by Verisign Inc., was the first to tap into the market for security flaw information.

The companys 3-year-old VCP (Vulnerability Contributor Program) involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.

Since the launch of the VCP, more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers, according to Michael Sutton, director of iDefense Labs.

In an interview, Sutton said more than 1,100 vulnerabilities have been submitted to the VCP by more than 200 security researchers.

Of that total, about 50 percent are validated as legitimate security flaws.

Once validated, iDefense will pay an undisclosed sum for the exclusive intellectual property rights to the research.

"This program works very well. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches," Sutton said.

/zimages/6/28571.gifRead more here about iDefenses strategy and reverse engineering.

"Its not surprising to see Tipping Point launch a similar program. Weve been a pioneer with this concept, and weve had incredible success over the years. When you run a successful program, you have to expect competition," he said.

"It really validates what weve been doing with the VCP. It just shows theres a big demand for vulnerability information and provides a big incentive for researchers who spend hours finding security flaws," Sutton added.

Thor Larholm, senior security researcher at PivX Solutions LLC, isnt quite happy with the way iDefense resells the flaw information it purchases, but agrees that paying for flaw information will become the norm once others enter the business.

"Five years ago, it used to be a big deal for a researcher to get credited in a Microsoft bulleting. Were well past those days. People want to be compensated for the work they do, and these programs offer real incentives," Larholm said, noting that the discovery of a bug in a widely deployed Internet-facing application could net a researcher a sum in the range of $6,000.

iDefenses Sutton declined to discuss the price point for flaw information. "We dont discuss pricing, but I can tell you theres real value in that information."

Larholm believes the Tipping Point and iDefense initiatives will push software vendors like Microsoft Corp. into paying for bugs found by outside researchers.

The software giant says it has never paid for information from private individuals.

"We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development," a company spokesperson said recently.

Larholm believes its only a matter of time before Microsoft shifts its thinking.

"It would require a cultural change within Microsoft, but I think its a change that will eventually happen. If there are other avenues for researchers to get paid for their work, very few people will be going to Microsoft directly. Its up to Microsoft to figure out whether they want that information in the hands of iDefense and Tipping Point customers before they can get a patch released."

"When a researcher works with Microsoft today, all they get is their name buried deep in a bulletin. In the past, researchers were happy to get the fame and notoriety, but that has changed. It has become hard work to find flaws because vendors are taking security more and more seriously. Today, it calls for heavy reverse-engineering and long days of work to crack into a product. These guys are looking to get paid," Larholm added.

iDefenses Sutton thinks Microsoft and other big-name vendors like Apple Computer Inc., Oracle Corp., IBM Corp. and Sun Microsystems Inc. should all think about paying for external vulnerability research.

"People who uncover vulnerabilities have skills that are sought-after. The VCP has been successful for three years because there is value in that information. Tipping Point is launching a program because there is a market for the research. I believe those researchers have a right to profit from their skills. Its unfair to expect people to take time to find vulnerabilities and then give it away for free. The days of being happy with a mention in a Microsoft bulletin is long gone," Sutton added.

"If Microsoft was to start such a program, it would be a good thing. You cant expect quality assurance work for free anymore."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.